1. Creating a rogue CA certificate

    Date Tue 30 December 2008

    Today was given a nice presentation at CCC, entitled MD5 considered harmful today: Creating a rogue CA certificate.

    It explains that, despite being broken since several years MD5 is still used is some important CA. Using this attack, they were able to generate a rogue CA certificate, and so were able to issue certificates which are marked as trusted by all browsers. As a result, the security of some websites like banks or e-commerce could be severely compromised !

    So it seems that, unlike people promising the end of the world (like Dan Kaminsky at BlackHat 2008, Kris Kapersky at HITB, and Robert E. Lee and Jack C. Louis at T2 and Sec-T), this one could really lead to some serious consequences.

    Congrats to them !

    Solutions:

    • Ban MD5 and such certificates (like those issued by RapidSSL, even in 2008)
    • For CA implementations, randomize the serial of issued certificates could help mitigate the problem

    Links:

    read more
  2. Captive Portals are BAD !

    Captive portals almost always work by validating the IP address of the client, and often the MAC address. This creates a wrong feeling of security, because it is quite easy to bypass. Let’s explain the most common problem: spoofing.

    Installing a captive portal

    I have chosen to install Alcasar, which claims to be a highly secure solution developed by the French Ministry of Defense.

    First surprise, it’s a shell script ! In fact, it’s not really an application, only an installer for a few packages, with some configuration. Installation went pretty bad:

    • the installer only works for a specific version of Mandriva (2007), which is quite old, and buggy on my hardware
    • most things are hardcoded: the installer exploded without errors because my network is not ending by a 0 (10.0.0.129/25)
    • my third network card is not even used by the script ! Too bad for the DMZ

    After 4 or 5 retries, and modifications in the script, I finally got a working server.

    First tests

    After a reboot, everything seems to work. Got an address using DHCP, I try to connect to Google .. ok, the captive portal appears and asks for a login. With ...

    read more
  3. Materials for CanSecWest 2008

    Date Sun 19 October 2008

    cansec

    These talks are probably online since a while, but as most of them are really interesting, have a look at CanSecWest 2008 conference materials:

    read more
  4. gcc security features (part 2)

    (See part 1)

    Remember: you must compile with -02 if you want the checks to be effective

    DEB_BUILD_HARDENING_FORTIFY (gcc/g++ -D_FORTIFY_SOURCE=2)

    The idea behind FORTIFY_SOURCE is relatively simple: there are cases where the compiler can know the size of a buffer (if it’s a fixed sized buffer on the stack, as in the example, or if the buffer just came from a malloc() function call). With a known buffer size, functions that operate on the buffer can make sure the buffer will not overflow.

    Example:

    void foo(char *string)
    {
        char buf[20];
        strcpy(buf, string);
    }
    

    Execution will fail:

    [home ~/harden] ./bad $(perl -e 'print "A"x100')
    zsh: segmentation fault  ./bad $(perl -e 'print "A"x100')
    

    When compiling with -D_FORTIFY_SOURCE=2, gcc will add some checks to detect the overflow and terminate the program:

    [home ~/harden] DEB_BUILD_HARDENING=1 make
    [home ~/harden] ./bad $(perl -e 'print "A"x100')
    
    *** buffer overflow detected ***: ./bad terminated
    ======= Backtrace: =========
    /lib/libc.so.6(__fortify_fail+0x37)[0x2ba8d18fb787]
    /lib/libc.so.6[0x2ba8d18f9e70]
    ./bad(main+0x26)[0x555555554856]
    /lib/libc.so.6(__libc_start_main+0xf4)[0x2ba8d18411c4]
    ./bad[0x555555554789]
    ======= Memory map:  ========
    2ba8d1607000-2ba8d1622000 r-xp 00000000 03:01 468316                     /lib/ld-2.7.so
    2ba8d1622000-2ba8d1625000 rw-p 2ba8d1622000 00:00 0 
    2ba8d1821000-2ba8d1823000 rw-p 0001a000 ...
    read more
  5. BlackHat 2008 materials

    The Black Hat Europe 2008 Media Archives are now online. I wasn’t there, but the archives contains some interesting materials:

    • Spam-Evolution
    • LDAP Injection & Blind LDAP Injection (see my post)
    • New Viral Threats of PDF Language
    • 0-Day Patch -Exposing Vendors (In)Security Performance
    • Client-side Security
    • Attacking Anti-Virus (there was a presentation on the same subject at CanSecWest and Hack.lu)
    • Investigating Individuals and Organizations Using Open Source Intelligence
    • DTRACE: The Reverse Engineer’s Unexpected Swiss Army Knife

    Related links:

    read more
  6. gcc security features (part 1)

    Since recent versions (>= 4.0, maybe before), gcc (and ld) has some nice security features. Debian has created a wrapper for the toolchain, to make the use of these features easy.

    To install the wrapper, run:

    apt-get install hardening-wrapper
    

    To enable the hardening features, you have to export the environment variable:

    export DEB_BUILD_HARDENING=1
    

    The features include additional checks for printf-like functions, stack protector, using address-space layout randomization (ASLR), marking ELF-sections as read-only after loading when possible, etc.

    Please note that you must compile with *-02* if you want the checks to be effective

    DEB_BUILD_HARDENING_FORMAT (gcc/g++ -Wformat -Wformat-security)

    Ask gcc to make additional checks on format strings, to prevent attacks.

    The following code, for ex:

    printf(buf);
    

    will result in a warning:

    [home ~/harden] DEB_BUILD_HARDENING=1 make
    gcc     bad.c   -o bad
    bad.c: In function ‘main’:
    bad.c:10: warning: format not a string literal and no format arguments
    

    Why is this code vulnerable ? Because the buffer (buf) could contain format characters like %s, and the printf function will interpret these characters to pop arguments from the stack, and can result in the execution of arbitrary code.

    Solution:

    • Replace previous code by
    printf("%s",buf);
    
    • Remember this ...
    read more
  7. CanSecWest 2008

    cansec

    Sébastien and I gave a presentation on IDS Correlation: A Weapon of Mass Investigation slides at CanSecWest.

    Most of the presentations were very interesting, including attacks against the anti-virus software (they are the most interesting targets, imho : run with system privileges, include parser for many protocols, are present on almost all machines, etc.), secure programming with gcc and glibc, snort 3 (our presentation was just after Marty’s), fuzzing with Peach, and some others I do not remember at the moment.

    We also gave two lightning talks, one on the Authenticating Firewall NuFW (slides here) and one on the Signatures.NU project (slides here).

    cansec_nufw

    We even won a beer for doing the presentation :)

    After so much work (and eating so much sushis with a delicious wild salmon), we went to Whistler for skiing, that was great.

    whistler

    Many thanks to all the people from the conference and to all who helped us !

    Some links:

    read more
  8. Prelude quick install

    To install Prelude, the Hybrid IDS (or Meta IDS) on Debian, on less than ten minutes, just use the packages:

    • install a database (PostgreSQL or MySQL)
    • install the Prelude manager, all needed packages will be installed automatically
    apt-get install prelude-manager
    
    • during the installation, dbconfig will ask to configure the database. Say yes, and give the parameters. dbconfig will create a new user, set a password, create the SQL schema and configure prelude-manager to use it.

    This should be enough for the manager. You will have to configure the listen address for the manager (the default is restricted to localhost) to listen on the network.

    To add agents (sensors), you have to install the package and register a new profile for each sensor.For ex:

    apt-get install prelude-lml
    apt-get install snort
    

    Create a new profile:

    prelude-admin register prelude-lml "idmef:w" <manager address> --uid 0 --gid 0
    ...
    prelude-admin register snort "idmef:w" <manager address> --uid 0 --gid 0
    ...
    

    Follow the instructions for the registration.

    Check the address of the manager in the config (global file is /etc/prelude/default/client.conf):

    server-addr = 192.168.1.1
    

    For a complete installation guide (with explanations) including the web interface Prewikka, look at the Prelude ...

    read more
  9. Conference: OSSIR

    We have given a presentation with Sébastien, for OSSIR.

    Subject is: Visualisation appliquée à la détection d’intrusion (which can roughly be translated to \visualization applied to intrusion detection). The slides can be found on the list of presentation materials.

    The conference was on our work since one year on intrusion detection, with the proposed implementation of a correlator, some explanations on classifications and current limitations, and how some graphs can help, especially the parallel axes representation.

    idmef-graph

    read more
  10. LDAP injections, reflexions

    While searching for some security papers, I’ve been looking for something about LDAP injections.

    Let’s have a look on what OWASP says on their site:

    The same advanced exploitation techniques available in SQL Injection can be similarly applied in LDAP Injection.

    There is a problem here: there are some big differences between SQL and LDAP, which lead to differences in security:

    • in SQL, commands and values are expressed in the same input (a string containing a command). Several commands can be specified in one string:
    "SELECT field FROM table WHERE ...; DROP TABLE xx;"
    
    • while in LDAP, the filter contains only filter parameters, in a specific representation (RFC 2254). This representation uses a prefixed form (boolean operator comes before the fields), and each field must be enclosed between parenthesis.:
    "( & (uid=john.doe) (objectClass=person) )
    

    OWASP gives some examples, for a filter (cn=%s):

    1. If a user puts “*” on box search, the system may return all the usernames on the LDAP base
    2. If a user puts “jonys) (| (password = * ) )”, it will generate the code bellow revealing jonys’ password

    What ? One could make an application display the password ?!

    The first line is true: any filter like (uid=*) will return all users having ...

    read more

« Page 2 / 2